Date: Fri, 17 Aug 2007 16:31:28 -0600 From: Miguel <mmiranda@123.com.sv> To: freebsd-questions@freebsd.org Subject: detect ip spoofing attack Message-ID: <46C621C0.40008@123.com.sv>
next in thread | raw e-mail | index | archive | help
Hi, i tink im suffering an ip (or mac, im not sure) spoofing attack, my
internet link is at 90% and mostly outgoing traffic, im using pf (for
nat), so i run pftop and i see a lot of connections from one specific
ip address (192.168.206.68), but this address is not assigned to any pc,
and it doesnt respond ping either, nmap doesnt report any open port .
I see the translations and stablished traffic in pftop and the traffic
flow using tcpdump, how can i know what computer is causing this
traffic, looking for the mac address in every pc should be the last
alternative :-(
pftop:
tcp In 192.168.206.68:1612
201.212.189.217:22512 ESTABLISHED:ESTABLISHED 03:42:20
20:22:46 24 7133
tcp Out 192.168.206.68:1612
217.216.58.247:8472 ESTABLISHED:ESTABLISHED 01:33:52
22:30:49 280 230542
tcp In 192.168.206.68:1612
217.216.58.247:8472 ESTABLISHED:ESTABLISHED 01:33:52
22:30:49 280 230542
tcp In 192.168.206.68:1648
24.232.133.100:45157 ESTABLISHED:ESTABLISHED 01:33:27
22:28:25 29 6373
tcp Out 192.168.206.68:1648
24.232.133.100:45157 ESTABLISHED:ESTABLISHED 01:33:27
22:28:25 29 6373
tcp In 192.168.206.68:1652
200.127.48.74:21549 ESTABLISHED:ESTABLISHED 01:33:22
22:29:49 86 47436
tcp Out 192.168.206.68:1652
200.127.48.74:21549 ESTABLISHED:ESTABLISHED 01:33:22
22:29:49 86 47436
tcp Out 192.168.206.68:1689
217.216.58.247:8472 ESTABLISHED:ESTABLISHED 04:28:05
19:35:30 361 308847
tcp In 192.168.206.68:1689
217.216.58.247:8472 ESTABLISHED:ESTABLISHED 04:28:05
19:35:30 361 308847
tcp In 192.168.206.68:1724
201.235.228.59:17870 ESTABLISHED:ESTABLISHED 03:40:39
20:21:16 29 9110
tcp Out 192.168.206.68:1724
201.235.228.59:17870 ESTABLISHED:ESTABLISHED 03:40:39
20:21:16 29 9110
tcp Out 192.168.206.68:1803
24.232.133.100:45157 ESTABLISHED:ESTABLISHED 02:39:41
21:22:16 29 6394
tcp In 192.168.206.68:1803
24.232.133.100:45157 ESTABLISHED:ESTABLISHED 02:39:41
21:22:16 29 6394
tcp Out 192.168.206.68:1812
201.231.105.85:11245 ESTABLISHED:ESTABLISHED 03:39:15
20:22:11 29 6924
tcp In 192.168.206.68:1812
201.231.105.85:11245 ESTABLISHED:ESTABLISHED 03:39:15
20:22:11 29 6924
tcp Out 192.168.206.68:1835
217.217.200.203:17061 ESTABLISHED:ESTABLISHED 02:39:14
21:22:12 27 5520
tcp In 192.168.206.68:1835
217.217.200.203:17061 ESTABLISHED:ESTABLISHED 02:39:14
21:22:12 27 5520
.......
hundred of additional lines.....
tcpdump:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:42.084566 IP 190-48-228-10.speedy.com.ar.17965 >
192.168.206.68.2857: . ack 596211574 win 65535
15:57:42.168104 IP 118.Red-80-39-36.staticIP.rima-tde.net.36216 >
192.168.206.68.2834: P 1891454167:1891455619(1452) ack 2551747276 win 64309
15:57:42.178015 IP 192.168.206.68.2834 >
118.Red-80-39-36.staticIP.rima-tde.net.36216: . ack 1468 win 17424
<nop,nop,sack 1 {2928:5848}>
15:57:42.195437 IP 192.168.206.68.2857 >
190-48-228-10.speedy.com.ar.17965: . 1:1461(1460) ack 0 win 17520
15:57:42.228560 IP 192.168.206.68.2857 >
190-48-228-10.speedy.com.ar.17965: P 1461:2921(1460) ack 0 win 17520
15:57:42.245113 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . 2223585051:2223586503(1452) ack
3314120697 win 17424
15:57:42.278376 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . 1452:2904(1452) ack 1 win 17424
15:57:42.343667 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: P 2904:2920(16) ack 1 win 17424
15:57:42.352077 IP 192.168.206.68.2857 >
190-48-228-10.speedy.com.ar.17965: P 2921:4381(1460) ack 0 win 17520
15:57:42.361303 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . 2920:4372(1452) ack 1 win 17424
15:57:42.374727 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: P 4372:4380(8) ack 1 win 17424
15:57:42.478261 IP 84.122.171.232.dyn.user.ono.com.10397 >
192.168.206.68.1914: . 1:1453(1452) ack 1452 win 11616
15:57:42.478275 IP 84.122.171.232.dyn.user.ono.com.10397 >
192.168.206.68.1914: P 1453:1461(8) ack 1452 win 11616
15:57:42.481236 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . ack 1461 win 17424
15:57:42.482575 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . 4380:5832(1452) ack 1461 win 17424
15:57:42.484578 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: . 5832:7284(1452) ack 1461 win 17424
15:57:42.484582 IP 192.168.206.68.1914 >
84.122.171.232.dyn.user.ono.com.10397: P 7284:7300(16) ack 1461 win 17424
......
hundred of additional lines...
arp -a:
? (192.168.206.68) at 00:15:00:3d:fc:ea on fxp0 [ethernet]
ping:
proxy# ping 192.168.206.68
PING 192.168.206.68 (192.168.206.68): 56 data bytes
^C
--- 192.168.206.68 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
nmap:
proxy# nmap -sS 192.168.206.68
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:01 CST
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)
Nmap finished: 1 IP address (1 host up) scanned in 35.725 seconds
proxy# nmap -O 192.168.206.68
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:03 CST
Warning: OS detection for 192.168.206.68 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 36.794 seconds
thanks
---
miguel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46C621C0.40008>